IETF Logo Mail Archive

Re: Validation of Packet Too Big Payload using Echo Request

Prabhakar Lakhera <plakhera@apple.com> Wed, 29 January 2020 17:14 UTC

Return-Path: <plakhera@apple.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A1DE1200F7 for <ipv6@ietfa.amsl.com>; Wed, 29 Jan 2020 09:14:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QziVlU10kkhV for <ipv6@ietfa.amsl.com>; Wed, 29 Jan 2020 09:14:24 -0800 (PST)
Received: from nwk-aaemail-lapp02.apple.com (nwk-aaemail-lapp02.apple.com [17.151.62.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 961AA120127 for <6man@ietf.org>; Wed, 29 Jan 2020 09:14:24 -0800 (PST)
Received: from pps.filterd (nwk-aaemail-lapp02.apple.com [127.0.0.1]) by nwk-aaemail-lapp02.apple.com (8.16.0.27/8.16.0.27) with SMTP id 00THCR28040931; Wed, 29 Jan 2020 09:14:23 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=sender : from : content-type : mime-version : subject : message-id : date : cc : to; s=20180706; bh=UcDc8Y23rRYEw1y0lxEULbhwj3ZAWj5HynGDVHmormA=; b=FPhET8YSn4R5rEDm3lZRMyMADfPsbHfRPZU3rUBq1CRbhD99fSxrhCzUhA6LkWsf00Qh vUIov5hrBhvQGbhjY3SX6FgVq1UkJfCwiiKAQHpFA49v+BjuSaOk5fIrbTf4s/EKtuo9 4GNObV1Y+m0sFEBDrA8puWmv99cMmwDN9NTV/m6KtvCVdJiuaV8FkDaRI0t3SBbGmyX+ QlMiujCmV4OGgIPUhqR51GVHyS/7ADDw5AqCvCXZFS/kN5MKWgj0fh52pVsDsJrQc3Gx tTMaZZxBi1dwiYUWlLl/38nI5CbxE1gQcUY+CuHuxyNwklNfUIaDYAHzYpUdR0kMpJjd lw==
Received: from ma1-mtap-s03.corp.apple.com (ma1-mtap-s03.corp.apple.com [17.40.76.7]) by nwk-aaemail-lapp02.apple.com with ESMTP id 2xrk4q1ag2-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 29 Jan 2020 09:14:23 -0800
Received: from nwk-mmpp-sz09.apple.com (nwk-mmpp-sz09.apple.com [17.128.115.80]) by ma1-mtap-s03.corp.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPS id <0Q4V008P9P7WK110@ma1-mtap-s03.corp.apple.com>; Wed, 29 Jan 2020 09:14:22 -0800 (PST)
Received: from process_milters-daemon.nwk-mmpp-sz09.apple.com by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) id <0Q4V00D00ONU0E00@nwk-mmpp-sz09.apple.com>; Wed, 29 Jan 2020 09:14:22 -0800 (PST)
X-Va-A:
X-Va-T-CD: 7ca02bdd6db1762c13f0b577446548f7
X-Va-E-CD: f5c12aef7156e4eaffb3234cbd110187
X-Va-R-CD: f19c62e0b4b466324fa430a169bcbf72
X-Va-CD: 0
X-Va-ID: f7773a68-7987-48b6-b3a3-805f8f652d8d
X-V-A:
X-V-T-CD: 7ca02bdd6db1762c13f0b577446548f7
X-V-E-CD: f5c12aef7156e4eaffb3234cbd110187
X-V-R-CD: f19c62e0b4b466324fa430a169bcbf72
X-V-CD: 0
X-V-ID: 921dba6e-3499-48d3-a547-5a4d4d427120
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2020-01-29_04:,, signatures=0
Received: from [17.234.97.22] (unknown [17.234.97.22]) by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPSA id <0Q4V00FHYP7T4900@nwk-mmpp-sz09.apple.com>; Wed, 29 Jan 2020 09:14:18 -0800 (PST)
Sender: plakhera@apple.com
From: Prabhakar Lakhera <plakhera@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_F8DFEA87-C02A-4DF9-AA5F-C45F1A7950FA"
MIME-version: 1.0 (Mac OS X Mail 13.0 \(3594.4.19\))
Subject: Re: Validation of Packet Too Big Payload using Echo Request
Message-id: <F4F6D67D-68B6-476C-94C2-2E68F3504CCC@apple.com>
Date: Wed, 29 Jan 2020 09:14:17 -0800
Cc: 6MAN <6man@ietf.org>
To: Ole Troan <otroan@employees.org>, Timothy Winters <twinters@iol.unh.edu>
X-Mailer: Apple Mail (2.3594.4.19)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2020-01-29_04:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/hP5TVh1iMOuooYb1uOHmzEMYTBU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2020 17:14:27 -0000

Hi,

I believe it is ok to leave the RFC 8201 as is.
It is the test that needs to be looked at.

Inline:

On Tue, Jan 28, 2020 at 3:10 AM <otroan@employees.org <mailto:otroan@employees.org>> wrote:

>> The IPv6 Ready Logo Committee updated testing to include a test for validating the Packet Too Big message content based on the following part of 8201.
>> 
>> "Nodes should appropriately validate the payload of ICMPv6 PTB
>>   messages to ensure these are received in response to transmitted
>>   traffic (i.e., a reported error condition that corresponds to an IPv6
>>   packet actually sent by the application) per [ICMPv6]."
>> 
>> I've included the steps below used to verify the IPv6 implementation validates the Packet Too Big.
>> 
>> Step
>> Action
>> Expected Behavior
>> 1. TR1 forwards an Echo Request from TN2 to the NUT.  The packet size is 1500 octets.
>> The NUT should respond without fragmenting the packet to the Echo Request using TR1 as a first hop.

Please note, that for most implementations ICMPv6 Echo Reply are not generated by some application.
They are generated by the system by reflecting the ICMPv6 Echo Requests and are sent unreliably and without keeping any state.

On the other hand, for UDP, one can validate the ports. For TCP one can also compare sequence numbers.

The point is the different level of validation might be possible with some protocols and for some protocols, like being tested for ICMPv6, it is not.

Changing the behavior for stack implementation for the test would require stack to become stateful and not just fire and forget ICMPv6 replies.
It also would require the replies to be held onto sometime. That IMHO has unnecessary complexity, overhead and security implications.

It is ok to leave the RFC as is but it needs to be interpreted correctly for any compliance requirements.

Frankly, I think for compliance this should be treated as a *SHOULD* and not as a MUST.

>> 2.
>> TR1 transmits a Packet Too Big message to the NUT with an ICMPv6 Identifier does not match the Echo Reply in Step 1.
>> 
>> 3.
>> TR1 forwards an Echo Request from TN2 to the NUT.  The packet size is 1500 octets.
>> The NUT should respond without fragmenting the packet to the Echo Request using TR1 as a first hop.
>> 
>> We received a comment that this validation shouldn't apply to ICMPv6 and it should only apply to TCP or protocols that have state.   Do we think this only applies to TCP or is it valid for all traffic?
> 
> RFC8201 is a network layer mechanism, and the paragraph above applies to
> all packets sent by the node. Regardless of transport layer protocol.

v2.23.0 | Report a Bug | By Email